1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * 4 * Copyright (C) International Business Machines Corp., 2002,2011 5 * Etersoft, 2012 6 * Author(s): Steve French (sfrench@us.ibm.com) 7 * Pavel Shilovsky (pshilovsky@samba.org) 2012 8 * 9 */ 10 #include <crypto/sha2.h> 11 #include <linux/ctype.h> 12 #include "cifsglob.h" 13 #include "cifsproto.h" 14 #include "smb2proto.h" 15 #include "cifs_debug.h" 16 #include "cifs_unicode.h" 17 #include "../common/smb2status.h" 18 #include "smb2glob.h" 19 #include "nterr.h" 20 #include "cached_dir.h" 21 22 static int 23 check_smb2_hdr(struct smb2_hdr *shdr, __u64 mid) 24 { 25 __u64 wire_mid = le64_to_cpu(shdr->MessageId); 26 27 /* 28 * Make sure that this really is an SMB, that it is a response, 29 * and that the message ids match. 30 */ 31 if ((shdr->ProtocolId == SMB2_PROTO_NUMBER) && 32 (mid == wire_mid)) { 33 if (shdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) 34 return 0; 35 else { 36 /* only one valid case where server sends us request */ 37 if (shdr->Command == SMB2_OPLOCK_BREAK) 38 return 0; 39 else 40 cifs_dbg(VFS, "Received Request not response\n"); 41 } 42 } else { /* bad signature or mid */ 43 if (shdr->ProtocolId != SMB2_PROTO_NUMBER) 44 cifs_dbg(VFS, "Bad protocol string signature header %x\n", 45 le32_to_cpu(shdr->ProtocolId)); 46 if (mid != wire_mid) 47 cifs_dbg(VFS, "Mids do not match: %llu and %llu\n", 48 mid, wire_mid); 49 } 50 cifs_dbg(VFS, "Bad SMB detected. The Mid=%llu\n", wire_mid); 51 return 1; 52 } 53 54 /* 55 * The following table defines the expected "StructureSize" of SMB2 responses 56 * in order by SMB2 command. This is similar to "wct" in SMB/CIFS responses. 57 * 58 * Note that commands are defined in smb2pdu.h in le16 but the array below is 59 * indexed by command in host byte order 60 */ 61 static const __le16 smb2_rsp_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = { 62 /* SMB2_NEGOTIATE */ cpu_to_le16(65), 63 /* SMB2_SESSION_SETUP */ cpu_to_le16(9), 64 /* SMB2_LOGOFF */ cpu_to_le16(4), 65 /* SMB2_TREE_CONNECT */ cpu_to_le16(16), 66 /* SMB2_TREE_DISCONNECT */ cpu_to_le16(4), 67 /* SMB2_CREATE */ cpu_to_le16(89), 68 /* SMB2_CLOSE */ cpu_to_le16(60), 69 /* SMB2_FLUSH */ cpu_to_le16(4), 70 /* SMB2_READ */ cpu_to_le16(17), 71 /* SMB2_WRITE */ cpu_to_le16(17), 72 /* SMB2_LOCK */ cpu_to_le16(4), 73 /* SMB2_IOCTL */ cpu_to_le16(49), 74 /* BB CHECK this ... not listed in documentation */ 75 /* SMB2_CANCEL */ cpu_to_le16(0), 76 /* SMB2_ECHO */ cpu_to_le16(4), 77 /* SMB2_QUERY_DIRECTORY */ cpu_to_le16(9), 78 /* SMB2_CHANGE_NOTIFY */ cpu_to_le16(9), 79 /* SMB2_QUERY_INFO */ cpu_to_le16(9), 80 /* SMB2_SET_INFO */ cpu_to_le16(2), 81 /* BB FIXME can also be 44 for lease break */ 82 /* SMB2_OPLOCK_BREAK */ cpu_to_le16(24) 83 }; 84 85 #define SMB311_NEGPROT_BASE_SIZE (sizeof(struct smb2_hdr) + sizeof(struct smb2_negotiate_rsp)) 86 87 static __u32 get_neg_ctxt_len(struct smb2_hdr *hdr, __u32 len, 88 __u32 non_ctxlen) 89 { 90 __u16 neg_count; 91 __u32 nc_offset, size_of_pad_before_neg_ctxts; 92 struct smb2_negotiate_rsp *pneg_rsp = (struct smb2_negotiate_rsp *)hdr; 93 94 /* Negotiate contexts are only valid for latest dialect SMB3.11 */ 95 neg_count = le16_to_cpu(pneg_rsp->NegotiateContextCount); 96 if ((neg_count == 0) || 97 (pneg_rsp->DialectRevision != cpu_to_le16(SMB311_PROT_ID))) 98 return 0; 99 100 /* 101 * if SPNEGO blob present (ie the RFC2478 GSS info which indicates 102 * which security mechanisms the server supports) make sure that 103 * the negotiate contexts start after it 104 */ 105 nc_offset = le32_to_cpu(pneg_rsp->NegotiateContextOffset); 106 /* 107 * non_ctxlen is at least shdr->StructureSize + pdu->StructureSize2 108 * and the latter is 1 byte bigger than the fix-sized area of the 109 * NEGOTIATE response 110 */ 111 if (nc_offset + 1 < non_ctxlen) { 112 pr_warn_once("Invalid negotiate context offset %d\n", nc_offset); 113 return 0; 114 } else if (nc_offset + 1 == non_ctxlen) { 115 cifs_dbg(FYI, "no SPNEGO security blob in negprot rsp\n"); 116 size_of_pad_before_neg_ctxts = 0; 117 } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE + 1) 118 /* has padding, but no SPNEGO blob */ 119 size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen + 1; 120 else 121 size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen; 122 123 /* Verify that at least minimal negotiate contexts fit within frame */ 124 if (len < nc_offset + (neg_count * sizeof(struct smb2_neg_context))) { 125 pr_warn_once("negotiate context goes beyond end\n"); 126 return 0; 127 } 128 129 cifs_dbg(FYI, "length of negcontexts %d pad %d\n", 130 len - nc_offset, size_of_pad_before_neg_ctxts); 131 132 /* length of negcontexts including pad from end of sec blob to them */ 133 return (len - nc_offset) + size_of_pad_before_neg_ctxts; 134 } 135 136 int 137 smb2_check_message(char *buf, unsigned int pdu_len, unsigned int len, 138 struct TCP_Server_Info *server) 139 { 140 struct TCP_Server_Info *pserver; 141 struct smb2_hdr *shdr = (struct smb2_hdr *)buf; 142 struct smb2_pdu *pdu = (struct smb2_pdu *)shdr; 143 int hdr_size = sizeof(struct smb2_hdr); 144 int pdu_size = sizeof(struct smb2_pdu); 145 int command; 146 __u32 calc_len; /* calculated length */ 147 __u64 mid; 148 149 /* If server is a channel, select the primary channel */ 150 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 151 152 /* 153 * Add function to do table lookup of StructureSize by command 154 * ie Validate the wct via smb2_struct_sizes table above 155 */ 156 if (shdr->ProtocolId == SMB2_TRANSFORM_PROTO_NUM) { 157 struct smb2_transform_hdr *thdr = 158 (struct smb2_transform_hdr *)buf; 159 struct cifs_ses *ses = NULL; 160 struct cifs_ses *iter; 161 162 /* decrypt frame now that it is completely read in */ 163 spin_lock(&cifs_tcp_ses_lock); 164 list_for_each_entry(iter, &pserver->smb_ses_list, smb_ses_list) { 165 if (iter->Suid == le64_to_cpu(thdr->SessionId)) { 166 ses = iter; 167 break; 168 } 169 } 170 spin_unlock(&cifs_tcp_ses_lock); 171 if (!ses) { 172 cifs_dbg(VFS, "no decryption - session id not found\n"); 173 return 1; 174 } 175 } 176 177 mid = le64_to_cpu(shdr->MessageId); 178 if (check_smb2_hdr(shdr, mid)) 179 return 1; 180 181 if (shdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) { 182 cifs_dbg(VFS, "Invalid structure size %u\n", 183 le16_to_cpu(shdr->StructureSize)); 184 return 1; 185 } 186 187 command = le16_to_cpu(shdr->Command); 188 if (command >= NUMBER_OF_SMB2_COMMANDS) { 189 cifs_dbg(VFS, "Invalid SMB2 command %d\n", command); 190 return 1; 191 } 192 193 if (len < pdu_size) { 194 if ((len >= hdr_size) 195 && (shdr->Status != 0)) { 196 pdu->StructureSize2 = 0; 197 /* 198 * As with SMB/CIFS, on some error cases servers may 199 * not return wct properly 200 */ 201 return 0; 202 } else { 203 cifs_dbg(VFS, "Length less than SMB header size\n"); 204 } 205 return 1; 206 } 207 if (len > CIFSMaxBufSize + MAX_SMB2_HDR_SIZE) { 208 cifs_dbg(VFS, "SMB length greater than maximum, mid=%llu\n", 209 mid); 210 return 1; 211 } 212 213 if (smb2_rsp_struct_sizes[command] != pdu->StructureSize2) { 214 if (command != SMB2_OPLOCK_BREAK_HE && (shdr->Status == 0 || 215 pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE)) { 216 /* error packets have 9 byte structure size */ 217 cifs_dbg(VFS, "Invalid response size %u for command %d\n", 218 le16_to_cpu(pdu->StructureSize2), command); 219 return 1; 220 } else if (command == SMB2_OPLOCK_BREAK_HE 221 && (shdr->Status == 0) 222 && (le16_to_cpu(pdu->StructureSize2) != 44) 223 && (le16_to_cpu(pdu->StructureSize2) != 36)) { 224 /* special case for SMB2.1 lease break message */ 225 cifs_dbg(VFS, "Invalid response size %d for oplock break\n", 226 le16_to_cpu(pdu->StructureSize2)); 227 return 1; 228 } 229 } 230 231 calc_len = smb2_calc_size(buf); 232 233 /* For SMB2_IOCTL, OutputOffset and OutputLength are optional, so might 234 * be 0, and not a real miscalculation */ 235 if (command == SMB2_IOCTL_HE && calc_len == 0) 236 return 0; 237 238 if (command == SMB2_NEGOTIATE_HE) 239 calc_len += get_neg_ctxt_len(shdr, len, calc_len); 240 241 if (len != calc_len) { 242 /* create failed on symlink */ 243 if (command == SMB2_CREATE_HE && 244 shdr->Status == STATUS_STOPPED_ON_SYMLINK) 245 return 0; 246 /* Windows 7 server returns 24 bytes more */ 247 if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) 248 return 0; 249 /* server can return one byte more due to implied bcc[0] */ 250 if (calc_len == len + 1) 251 return 0; 252 253 /* 254 * Some windows servers (win2016) will pad also the final 255 * PDU in a compound to 8 bytes. 256 */ 257 if (ALIGN(calc_len, 8) == len) 258 return 0; 259 260 /* 261 * MacOS server pads after SMB2.1 write response with 3 bytes 262 * of junk. Other servers match RFC1001 len to actual 263 * SMB2/SMB3 frame length (header + smb2 response specific data) 264 * Some windows servers also pad up to 8 bytes when compounding. 265 */ 266 if (calc_len < len) 267 return 0; 268 269 /* Only log a message if len was really miscalculated */ 270 if (unlikely(cifsFYI)) 271 cifs_dbg(FYI, "Server response too short: calculated " 272 "length %u doesn't match read length %u (cmd=%d, mid=%llu)\n", 273 calc_len, len, command, mid); 274 else 275 pr_warn("Server response too short: calculated length " 276 "%u doesn't match read length %u (cmd=%d, mid=%llu)\n", 277 calc_len, len, command, mid); 278 279 return 1; 280 } 281 return 0; 282 } 283 284 /* 285 * The size of the variable area depends on the offset and length fields 286 * located in different fields for various SMB2 responses. SMB2 responses 287 * with no variable length info, show an offset of zero for the offset field. 288 */ 289 static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = { 290 /* SMB2_NEGOTIATE */ true, 291 /* SMB2_SESSION_SETUP */ true, 292 /* SMB2_LOGOFF */ false, 293 /* SMB2_TREE_CONNECT */ false, 294 /* SMB2_TREE_DISCONNECT */ false, 295 /* SMB2_CREATE */ true, 296 /* SMB2_CLOSE */ false, 297 /* SMB2_FLUSH */ false, 298 /* SMB2_READ */ true, 299 /* SMB2_WRITE */ false, 300 /* SMB2_LOCK */ false, 301 /* SMB2_IOCTL */ true, 302 /* SMB2_CANCEL */ false, /* BB CHECK this not listed in documentation */ 303 /* SMB2_ECHO */ false, 304 /* SMB2_QUERY_DIRECTORY */ true, 305 /* SMB2_CHANGE_NOTIFY */ true, 306 /* SMB2_QUERY_INFO */ true, 307 /* SMB2_SET_INFO */ false, 308 /* SMB2_OPLOCK_BREAK */ false 309 }; 310 311 /* 312 * Returns the pointer to the beginning of the data area. Length of the data 313 * area and the offset to it (from the beginning of the smb are also returned. 314 */ 315 char * 316 smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *shdr) 317 { 318 const int max_off = 4096; 319 const int max_len = 128 * 1024; 320 321 *off = 0; 322 *len = 0; 323 324 /* error responses do not have data area */ 325 if (shdr->Status && shdr->Status != STATUS_MORE_PROCESSING_REQUIRED && 326 (((struct smb2_err_rsp *)shdr)->StructureSize) == 327 SMB2_ERROR_STRUCTURE_SIZE2_LE) 328 return NULL; 329 330 /* 331 * Following commands have data areas so we have to get the location 332 * of the data buffer offset and data buffer length for the particular 333 * command. 334 */ 335 switch (shdr->Command) { 336 case SMB2_NEGOTIATE: 337 *off = le16_to_cpu( 338 ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferOffset); 339 *len = le16_to_cpu( 340 ((struct smb2_negotiate_rsp *)shdr)->SecurityBufferLength); 341 break; 342 case SMB2_SESSION_SETUP: 343 *off = le16_to_cpu( 344 ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferOffset); 345 *len = le16_to_cpu( 346 ((struct smb2_sess_setup_rsp *)shdr)->SecurityBufferLength); 347 break; 348 case SMB2_CREATE: 349 *off = le32_to_cpu( 350 ((struct smb2_create_rsp *)shdr)->CreateContextsOffset); 351 *len = le32_to_cpu( 352 ((struct smb2_create_rsp *)shdr)->CreateContextsLength); 353 break; 354 case SMB2_QUERY_INFO: 355 *off = le16_to_cpu( 356 ((struct smb2_query_info_rsp *)shdr)->OutputBufferOffset); 357 *len = le32_to_cpu( 358 ((struct smb2_query_info_rsp *)shdr)->OutputBufferLength); 359 break; 360 case SMB2_READ: 361 /* TODO: is this a bug ? */ 362 *off = ((struct smb2_read_rsp *)shdr)->DataOffset; 363 *len = le32_to_cpu(((struct smb2_read_rsp *)shdr)->DataLength); 364 break; 365 case SMB2_QUERY_DIRECTORY: 366 *off = le16_to_cpu( 367 ((struct smb2_query_directory_rsp *)shdr)->OutputBufferOffset); 368 *len = le32_to_cpu( 369 ((struct smb2_query_directory_rsp *)shdr)->OutputBufferLength); 370 break; 371 case SMB2_IOCTL: 372 *off = le32_to_cpu( 373 ((struct smb2_ioctl_rsp *)shdr)->OutputOffset); 374 *len = le32_to_cpu( 375 ((struct smb2_ioctl_rsp *)shdr)->OutputCount); 376 break; 377 case SMB2_CHANGE_NOTIFY: 378 *off = le16_to_cpu( 379 ((struct smb2_change_notify_rsp *)shdr)->OutputBufferOffset); 380 *len = le32_to_cpu( 381 ((struct smb2_change_notify_rsp *)shdr)->OutputBufferLength); 382 break; 383 default: 384 cifs_dbg(VFS, "no length check for command %d\n", le16_to_cpu(shdr->Command)); 385 break; 386 } 387 388 /* 389 * Invalid length or offset probably means data area is invalid, but 390 * we have little choice but to ignore the data area in this case. 391 */ 392 if (unlikely(*off < 0 || *off > max_off || 393 *len < 0 || *len > max_len)) { 394 cifs_dbg(VFS, "%s: invalid data area (off=%d len=%d)\n", 395 __func__, *off, *len); 396 *off = 0; 397 *len = 0; 398 } else if (*off == 0) { 399 *len = 0; 400 } 401 402 /* return pointer to beginning of data area, ie offset from SMB start */ 403 if (*off > 0 && *len > 0) 404 return (char *)shdr + *off; 405 return NULL; 406 } 407 408 /* 409 * Calculate the size of the SMB message based on the fixed header 410 * portion, the number of word parameters and the data portion of the message. 411 */ 412 unsigned int 413 smb2_calc_size(void *buf) 414 { 415 struct smb2_pdu *pdu = buf; 416 struct smb2_hdr *shdr = &pdu->hdr; 417 int offset; /* the offset from the beginning of SMB to data area */ 418 int data_length; /* the length of the variable length data area */ 419 /* Structure Size has already been checked to make sure it is 64 */ 420 int len = le16_to_cpu(shdr->StructureSize); 421 422 /* 423 * StructureSize2, ie length of fixed parameter area has already 424 * been checked to make sure it is the correct length. 425 */ 426 len += le16_to_cpu(pdu->StructureSize2); 427 428 if (has_smb2_data_area[le16_to_cpu(shdr->Command)] == false) 429 goto calc_size_exit; 430 431 smb2_get_data_area_len(&offset, &data_length, shdr); 432 cifs_dbg(FYI, "SMB2 data length %d offset %d\n", data_length, offset); 433 434 if (data_length > 0) { 435 /* 436 * Check to make sure that data area begins after fixed area, 437 * Note that last byte of the fixed area is part of data area 438 * for some commands, typically those with odd StructureSize, 439 * so we must add one to the calculation. 440 */ 441 if (offset + 1 < len) { 442 cifs_dbg(VFS, "data area offset %d overlaps SMB2 header %d\n", 443 offset + 1, len); 444 data_length = 0; 445 } else { 446 len = offset + data_length; 447 } 448 } 449 calc_size_exit: 450 cifs_dbg(FYI, "SMB2 len %d\n", len); 451 return len; 452 } 453 454 /* Note: caller must free return buffer */ 455 __le16 * 456 cifs_convert_path_to_utf16(const char *from, struct cifs_sb_info *cifs_sb) 457 { 458 const char *start_of_path; 459 int len; 460 461 /* Windows doesn't allow paths beginning with \ */ 462 if (from[0] == '\\') 463 start_of_path = from + 1; 464 465 /* SMB311 POSIX extensions paths do not include leading slash */ 466 else if (cifs_sb_master_tlink(cifs_sb) && 467 cifs_sb_master_tcon(cifs_sb)->posix_extensions && 468 (from[0] == '/')) { 469 start_of_path = from + 1; 470 } else 471 start_of_path = from; 472 473 return cifs_strndup_to_utf16(start_of_path, PATH_MAX, &len, 474 cifs_sb->local_nls, cifs_remap(cifs_sb)); 475 } 476 477 __le32 smb2_get_lease_state(struct cifsInodeInfo *cinode, unsigned int oplock) 478 { 479 unsigned int sbflags = cifs_sb_flags(CIFS_SB(cinode)); 480 __le32 lease = 0; 481 482 if ((oplock & CIFS_CACHE_WRITE_FLG) || (sbflags & CIFS_MOUNT_RW_CACHE)) 483 lease |= SMB2_LEASE_WRITE_CACHING_LE; 484 if (oplock & CIFS_CACHE_HANDLE_FLG) 485 lease |= SMB2_LEASE_HANDLE_CACHING_LE; 486 if ((oplock & CIFS_CACHE_READ_FLG) || (sbflags & CIFS_MOUNT_RO_CACHE)) 487 lease |= SMB2_LEASE_READ_CACHING_LE; 488 return lease; 489 } 490 491 struct smb2_lease_break_work { 492 struct work_struct lease_break; 493 struct tcon_link *tlink; 494 __u8 lease_key[16]; 495 __le32 lease_state; 496 }; 497 498 static void 499 cifs_ses_oplock_break(struct work_struct *work) 500 { 501 struct smb2_lease_break_work *lw = container_of(work, 502 struct smb2_lease_break_work, lease_break); 503 int rc = 0; 504 505 rc = SMB2_lease_break(0, tlink_tcon(lw->tlink), lw->lease_key, 506 lw->lease_state); 507 508 cifs_dbg(FYI, "Lease release rc %d\n", rc); 509 cifs_put_tlink(lw->tlink); 510 kfree(lw); 511 } 512 513 static void 514 smb2_queue_pending_open_break(struct tcon_link *tlink, __u8 *lease_key, 515 __le32 new_lease_state) 516 { 517 struct smb2_lease_break_work *lw; 518 519 lw = kmalloc_obj(struct smb2_lease_break_work); 520 if (!lw) { 521 cifs_put_tlink(tlink); 522 return; 523 } 524 525 INIT_WORK(&lw->lease_break, cifs_ses_oplock_break); 526 lw->tlink = tlink; 527 lw->lease_state = new_lease_state; 528 memcpy(lw->lease_key, lease_key, SMB2_LEASE_KEY_SIZE); 529 queue_work(cifsiod_wq, &lw->lease_break); 530 } 531 532 static bool 533 smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp) 534 { 535 __u8 lease_state; 536 struct cifsFileInfo *cfile; 537 struct cifsInodeInfo *cinode; 538 int ack_req = le32_to_cpu(rsp->Flags & 539 SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); 540 541 lease_state = le32_to_cpu(rsp->NewLeaseState); 542 543 list_for_each_entry(cfile, &tcon->openFileList, tlist) { 544 cinode = CIFS_I(d_inode(cfile->dentry)); 545 546 if (memcmp(cinode->lease_key, rsp->LeaseKey, 547 SMB2_LEASE_KEY_SIZE)) 548 continue; 549 550 cifs_dbg(FYI, "found in the open list\n"); 551 cifs_dbg(FYI, "lease key match, lease break 0x%x\n", 552 lease_state); 553 554 if (ack_req) 555 cfile->oplock_break_cancelled = false; 556 else 557 cfile->oplock_break_cancelled = true; 558 559 set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); 560 561 cfile->oplock_epoch = le16_to_cpu(rsp->Epoch); 562 cfile->oplock_level = lease_state; 563 564 cifs_queue_oplock_break(cfile); 565 return true; 566 } 567 568 return false; 569 } 570 571 static struct cifs_pending_open * 572 smb2_tcon_find_pending_open_lease(struct cifs_tcon *tcon, 573 struct smb2_lease_break *rsp) 574 { 575 __u8 lease_state = le32_to_cpu(rsp->NewLeaseState); 576 int ack_req = le32_to_cpu(rsp->Flags & 577 SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); 578 struct cifs_pending_open *open; 579 struct cifs_pending_open *found = NULL; 580 581 list_for_each_entry(open, &tcon->pending_opens, olist) { 582 if (memcmp(open->lease_key, rsp->LeaseKey, 583 SMB2_LEASE_KEY_SIZE)) 584 continue; 585 586 if (!found && ack_req) { 587 found = open; 588 } 589 590 cifs_dbg(FYI, "found in the pending open list\n"); 591 cifs_dbg(FYI, "lease key match, lease break 0x%x\n", 592 lease_state); 593 594 open->oplock = lease_state; 595 } 596 597 return found; 598 } 599 600 static bool 601 smb2_is_valid_lease_break(char *buffer, struct TCP_Server_Info *server) 602 { 603 struct smb2_lease_break *rsp = (struct smb2_lease_break *)buffer; 604 struct TCP_Server_Info *pserver; 605 struct cifs_ses *ses; 606 struct cifs_tcon *tcon; 607 struct cifs_pending_open *open; 608 609 /* Trace receipt of lease break request from server */ 610 trace_smb3_lease_break_enter(le32_to_cpu(rsp->CurrentLeaseState), 611 le32_to_cpu(rsp->Flags), 612 le16_to_cpu(rsp->Epoch), 613 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 614 le64_to_cpu(rsp->hdr.SessionId), 615 *((u64 *)rsp->LeaseKey), 616 *((u64 *)&rsp->LeaseKey[8])); 617 618 cifs_dbg(FYI, "Checking for lease break\n"); 619 620 /* If server is a channel, select the primary channel */ 621 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 622 623 /* look up tcon based on tid & uid */ 624 spin_lock(&cifs_tcp_ses_lock); 625 list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { 626 if (cifs_ses_exiting(ses)) 627 continue; 628 list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { 629 spin_lock(&tcon->open_file_lock); 630 cifs_stats_inc( 631 &tcon->stats.cifs_stats.num_oplock_brks); 632 if (smb2_tcon_has_lease(tcon, rsp)) { 633 spin_unlock(&tcon->open_file_lock); 634 spin_unlock(&cifs_tcp_ses_lock); 635 return true; 636 } 637 open = smb2_tcon_find_pending_open_lease(tcon, 638 rsp); 639 if (open) { 640 __u8 lease_key[SMB2_LEASE_KEY_SIZE]; 641 struct tcon_link *tlink; 642 643 tlink = cifs_get_tlink(open->tlink); 644 memcpy(lease_key, open->lease_key, 645 SMB2_LEASE_KEY_SIZE); 646 spin_unlock(&tcon->open_file_lock); 647 spin_unlock(&cifs_tcp_ses_lock); 648 smb2_queue_pending_open_break(tlink, 649 lease_key, 650 rsp->NewLeaseState); 651 return true; 652 } 653 spin_unlock(&tcon->open_file_lock); 654 655 if (cached_dir_lease_break(tcon, rsp->LeaseKey)) { 656 spin_unlock(&cifs_tcp_ses_lock); 657 return true; 658 } 659 } 660 } 661 spin_unlock(&cifs_tcp_ses_lock); 662 cifs_dbg(FYI, "Can not process lease break - no lease matched\n"); 663 trace_smb3_lease_not_found(le32_to_cpu(rsp->CurrentLeaseState), 664 le32_to_cpu(rsp->Flags), 665 le16_to_cpu(rsp->Epoch), 666 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 667 le64_to_cpu(rsp->hdr.SessionId), 668 *((u64 *)rsp->LeaseKey), 669 *((u64 *)&rsp->LeaseKey[8])); 670 671 return false; 672 } 673 674 bool 675 smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server) 676 { 677 struct smb2_oplock_break *rsp = (struct smb2_oplock_break *)buffer; 678 struct TCP_Server_Info *pserver; 679 struct cifs_ses *ses; 680 struct cifs_tcon *tcon; 681 struct cifsInodeInfo *cinode; 682 struct cifsFileInfo *cfile; 683 684 cifs_dbg(FYI, "Checking for oplock break\n"); 685 686 if (rsp->hdr.Command != SMB2_OPLOCK_BREAK) 687 return false; 688 689 if (rsp->StructureSize != 690 smb2_rsp_struct_sizes[SMB2_OPLOCK_BREAK_HE]) { 691 if (le16_to_cpu(rsp->StructureSize) == 44) 692 return smb2_is_valid_lease_break(buffer, server); 693 else 694 return false; 695 } 696 697 cifs_dbg(FYI, "oplock level 0x%x\n", rsp->OplockLevel); 698 699 /* If server is a channel, select the primary channel */ 700 pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; 701 702 /* look up tcon based on tid & uid */ 703 spin_lock(&cifs_tcp_ses_lock); 704 list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { 705 if (cifs_ses_exiting(ses)) 706 continue; 707 list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { 708 709 spin_lock(&tcon->open_file_lock); 710 list_for_each_entry(cfile, &tcon->openFileList, tlist) { 711 if (rsp->PersistentFid != 712 cfile->fid.persistent_fid || 713 rsp->VolatileFid != 714 cfile->fid.volatile_fid) 715 continue; 716 717 cifs_dbg(FYI, "file id match, oplock break\n"); 718 cifs_stats_inc( 719 &tcon->stats.cifs_stats.num_oplock_brks); 720 cinode = CIFS_I(d_inode(cfile->dentry)); 721 spin_lock(&cfile->file_info_lock); 722 if (!CIFS_CACHE_WRITE(cinode) && 723 rsp->OplockLevel == SMB2_OPLOCK_LEVEL_NONE) 724 cfile->oplock_break_cancelled = true; 725 else 726 cfile->oplock_break_cancelled = false; 727 728 set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, 729 &cinode->flags); 730 731 cfile->oplock_epoch = 0; 732 cfile->oplock_level = rsp->OplockLevel; 733 734 spin_unlock(&cfile->file_info_lock); 735 736 cifs_queue_oplock_break(cfile); 737 738 spin_unlock(&tcon->open_file_lock); 739 spin_unlock(&cifs_tcp_ses_lock); 740 return true; 741 } 742 spin_unlock(&tcon->open_file_lock); 743 } 744 } 745 spin_unlock(&cifs_tcp_ses_lock); 746 cifs_dbg(FYI, "No file id matched, oplock break ignored\n"); 747 trace_smb3_oplock_not_found(0 /* no xid */, rsp->PersistentFid, 748 le32_to_cpu(rsp->hdr.Id.SyncId.TreeId), 749 le64_to_cpu(rsp->hdr.SessionId)); 750 751 return true; 752 } 753 754 void 755 smb2_cancelled_close_fid(struct work_struct *work) 756 { 757 struct close_cancelled_open *cancelled = container_of(work, 758 struct close_cancelled_open, work); 759 struct cifs_tcon *tcon = cancelled->tcon; 760 int rc; 761 762 if (cancelled->mid) 763 cifs_tcon_dbg(VFS, "Close unmatched open for MID:%llu\n", 764 cancelled->mid); 765 else 766 cifs_tcon_dbg(VFS, "Close interrupted close\n"); 767 768 rc = SMB2_close(0, tcon, cancelled->fid.persistent_fid, 769 cancelled->fid.volatile_fid); 770 if (rc) 771 cifs_tcon_dbg(VFS, "Close cancelled mid failed rc:%d\n", rc); 772 773 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_close_fid); 774 kfree(cancelled); 775 } 776 777 /* 778 * Caller should already has an extra reference to @tcon 779 * This function is used to queue work to close a handle to prevent leaks 780 * on the server. 781 * We handle two cases. If an open was interrupted after we sent the 782 * SMB2_CREATE to the server but before we processed the reply, and second 783 * if a close was interrupted before we sent the SMB2_CLOSE to the server. 784 */ 785 static int 786 __smb2_handle_cancelled_cmd(struct cifs_tcon *tcon, __u16 cmd, __u64 mid, 787 __u64 persistent_fid, __u64 volatile_fid) 788 { 789 struct close_cancelled_open *cancelled; 790 791 cancelled = kzalloc_obj(*cancelled); 792 if (!cancelled) 793 return -ENOMEM; 794 795 cancelled->fid.persistent_fid = persistent_fid; 796 cancelled->fid.volatile_fid = volatile_fid; 797 cancelled->tcon = tcon; 798 cancelled->cmd = cmd; 799 cancelled->mid = mid; 800 INIT_WORK(&cancelled->work, smb2_cancelled_close_fid); 801 WARN_ON(queue_work(cifsiod_wq, &cancelled->work) == false); 802 803 return 0; 804 } 805 806 int 807 smb2_handle_cancelled_close(struct cifs_tcon *tcon, __u64 persistent_fid, 808 __u64 volatile_fid) 809 { 810 int rc; 811 812 cifs_dbg(FYI, "%s: tc_count=%d\n", __func__, tcon->tc_count); 813 spin_lock(&tcon->tc_lock); 814 if (tcon->tc_count <= 0) { 815 struct TCP_Server_Info *server = NULL; 816 817 trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count, 818 netfs_trace_tcon_ref_see_cancelled_close); 819 WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative"); 820 spin_unlock(&tcon->tc_lock); 821 822 if (tcon->ses) { 823 server = tcon->ses->server; 824 cifs_server_dbg(FYI, 825 "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n", 826 tcon->tid, persistent_fid, volatile_fid); 827 } 828 829 return 0; 830 } 831 tcon->tc_count++; 832 trace_smb3_tcon_ref(tcon->debug_id, tcon->tc_count, 833 netfs_trace_tcon_ref_get_cancelled_close); 834 spin_unlock(&tcon->tc_lock); 835 836 rc = __smb2_handle_cancelled_cmd(tcon, SMB2_CLOSE_HE, 0, 837 persistent_fid, volatile_fid); 838 if (rc) 839 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_close); 840 841 return rc; 842 } 843 844 int 845 smb2_handle_cancelled_mid(struct mid_q_entry *mid, struct TCP_Server_Info *server) 846 { 847 struct smb2_hdr *hdr = mid->resp_buf; 848 struct smb2_create_rsp *rsp = mid->resp_buf; 849 struct cifs_tcon *tcon; 850 int rc; 851 852 if ((mid->optype & CIFS_CP_CREATE_CLOSE_OP) || hdr->Command != SMB2_CREATE || 853 hdr->Status != STATUS_SUCCESS) 854 return 0; 855 856 tcon = smb2_find_smb_tcon(server, le64_to_cpu(hdr->SessionId), 857 le32_to_cpu(hdr->Id.SyncId.TreeId)); 858 if (!tcon) 859 return -ENOENT; 860 861 rc = __smb2_handle_cancelled_cmd(tcon, 862 le16_to_cpu(hdr->Command), 863 le64_to_cpu(hdr->MessageId), 864 rsp->PersistentFileId, 865 rsp->VolatileFileId); 866 if (rc) 867 cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cancelled_mid); 868 869 return rc; 870 } 871 872 /** 873 * smb311_update_preauth_hash - update @ses hash with the packet data in @iov 874 * 875 * Assumes @iov does not contain the rfc1002 length and iov[0] has the 876 * SMB2 header. 877 * 878 * @ses: server session structure 879 * @server: pointer to server info 880 * @iov: array containing the SMB request we will send to the server 881 * @nvec: number of array entries for the iov 882 */ 883 void 884 smb311_update_preauth_hash(struct cifs_ses *ses, struct TCP_Server_Info *server, 885 struct kvec *iov, int nvec) 886 { 887 int i; 888 struct smb2_hdr *hdr; 889 struct sha512_ctx sha_ctx; 890 891 hdr = (struct smb2_hdr *)iov[0].iov_base; 892 /* neg prot are always taken */ 893 if (hdr->Command == SMB2_NEGOTIATE) 894 goto ok; 895 896 /* 897 * If we process a command which wasn't a negprot it means the 898 * neg prot was already done, so the server dialect was set 899 * and we can test it. Preauth requires 3.1.1 for now. 900 */ 901 if (server->dialect != SMB311_PROT_ID) 902 return; 903 904 if (hdr->Command != SMB2_SESSION_SETUP) 905 return; 906 907 /* skip last sess setup response */ 908 if ((hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) 909 && (hdr->Status == NT_STATUS_OK 910 || (hdr->Status != 911 cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)))) 912 return; 913 914 ok: 915 sha512_init(&sha_ctx); 916 sha512_update(&sha_ctx, ses->preauth_sha_hash, SMB2_PREAUTH_HASH_SIZE); 917 for (i = 0; i < nvec; i++) 918 sha512_update(&sha_ctx, iov[i].iov_base, iov[i].iov_len); 919 sha512_final(&sha_ctx, ses->preauth_sha_hash); 920 } 921